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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 


Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
our privacy notice 


| The disproportionate effort derogation (page 49) 


| Refer a friend (pages 54 and 83) 


| The ICO suggests in the example that the supermarket needs to ensure that “there is appropriate 


Qi Is the draft code clear and easy to understand? 


Yes 
O No 


If no please explain why and how we could improve this: 


| The draft code is, in our view, clearer than the current code it is replacing. However, we would 
| ask that the ICO revises the draft code to clarify a number of points. 


Could the ICO please provide examples of situations in which the Commissioner believes this 
derogation may apply. 


We strongly endorse the comments made by the Data Protection Network, made available here, 
about the manner in which businesses might conduct refer a friend marketing that complies with 
the letter and the spirit of the data protection laws, adds value to consumers and allows business 
to grow based upon positive referrals. 


Example about joint marketing campaigns (page 27) 


consent from its customers to receive direct marketing promoting the charity.” Can the ICO | 
please clarify, in relation to this example, what would amount to ‘appropriate consent’ - does the 
supermarket in the example provided need separate opted in consent to send marketing about 
the charity? 


Can we target our customers or supporters on social media 

The ICO suggests that individuals will not expect to be targeted on social media. The draft further 
states that consent is likely to be the most appropriate legal basis for processing in this context. 
We disagree with this view and believe customers are very aware and used to seeing ads on 
social media. In the ICO’s Report on Adtech and Real Time Bidding, it cites Article 29 Working 
Party (‘A29WP’) Guidance noting that behavioural targeting is unlikely to be justified on the basis | 
of legitimate interest - such A29WP views however often relate to scenarios where there is wide 
volumes of data collection across sites with little consumer awareness. In contrast, standard 
custom audience targeting generally works very differently: it does not depend on building large 
profiles, but just allows a marketer to reach an individual they already know in a different (ad- 
supported) medium. 


Can we target people on social media who are similar to our customers or supporters? 
(page 91) | 


The ICO suggests that we “need to be satisfied that the social media platform has taken all 
necessary steps to provide the appropriate transparency information to individuals.” We consider 
the ICO’s guidance on the use of advertising services provided by social media giants to be 
impractical. As the ICO undoubtedly understands, individual retailers have no capacity to affect 
the manner in which these platforms operate. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to duplicate all 
our existing data protection and e-privacy guidance) 


K Yes 

Oh No 
If no please explain what changes or improvements you would like to 
see? 


Please note our comments elsewhere in this response. 


xX Yes 
Ol No 


consent/ objects to processing for direct marketing purposes 


draft code. 


On the whole, yes. However, we request the draft code covers additional issues. 


Time period for stopping sending direct marketing after a customer withdraws 


The ICO has previously published time frames in which it expects companies to stop sending 
direct marketing communications after a customer withdraws consent or objects to 
processing for direct marketing purposes. These guidelines are a useful means of managing 
a customer's expectations, especially in the case of postal marketing where lead times for 
printing and mail sorts can be quite lengthy. Could the ICO please address this issue in the 


If no please outline what additional areas you would like to see 
covered: 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation's direct 
marketing practices? 


Yes 
O No 


If no please outline what additional areas you would like to see covered 


Please note our comments elsewhere in this response. 


Q5 Is it easy to find information in the draft code? 


xX Yes 
Oh No 


If no, please provide your suggestions on how the structure could be 
improved: 


| Fine. 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


XxX Yes 
O No 


If yes, please provide your direct marketing examples: 


The GDPR and the ICO draft code are both clear as to what constitutes consent; in 


particular, the draft code delivers very helpful practical examples of how a customer might 
indicate his or her consent to direct marketing activities. Could the ICO please provide 
similar practical examples of how controllers might best comply with the soft opt-in under 
PECR and how they might offer customers the means of opting out of marketing 
communications when providing their details to controllers (assuming a controller seeks to 
rely on legitimate interest for, say, postal marketing). 


Please note the following examples are not from our own website but from the 
websites of other companies that conduct direct marketing. We have redacted 
the names of the companies from the screenshots below. 


Example 1 - confusion over consent / legitimate interest style questions 


It is not clear to us whether the following permission questions are (i) non-compliant 
consent-based marketing permissions because the boxes are pre-ticked; or (ii) the ICO 
would consider that by un-ticking a box, an individual is opting out of certain direct 
marketing activities and therefore these amount to compliant legitimate interest based 
| marketing permissions. 


We would love to stay in touch with you stout the very pest {Re si: anc our fantastic A 
eep these boxes toxed to hear from us by: 


$ Email $ Phone 2 sus Z Post 
5y clicking continue you agree to receive communications from us, unless you have unticked the 
boxes sbove. You can change your preferences at any time. Your information wl be used in line 


vith our Frivacy and Cookies polices. Terms and conditions apply. 


Back to vour basket 


(continued overleaf) 


l] 


(Response to question 6 continued) 


SECURE CHECKOUT 


Cy l'm an existing customer 


@ m anew customer (checkout as a guest) 


Please antar your email address to stay updatad with your 
order 


Required 


Please confirm how you would like to hear from us: 


I'd like to keep up to date with new products, @ ys ©) No 
news and offers by email 

I'd like to be inspired by brochures and @ ves ©) No 
promotions by post 

I'd like to receive offers and promotions from @ yes © No 


selected partners | Se post. 


You can change your creferences at any time 


PLEASE ENTER YOUR DETAILS 


Treating your personal information with care is imeonant to 
US. For More information apoue mow ya datai:s will be used, 
r 


please see our Priv: 


Example 2 - opt out based questions are partially hidden 

Some direct marketing companies do not display their marketing permission questions 
prominently in the new customer journey; the example below shows that customers must 
identify the “click here to opt out” (circled in red below) link which, if clicked, reveals the 
opt-out based questions. We are not sure if, in the ICO’s view, this is compliant with the 
GDPR. 


Order now and your i will be with you on Monday, 17 Your order - 1 item ®© 
February. 
@ Add a voucher 
1. Tell us about you... 
Click here to login if you already have an account * Allfields are required aed meee 
ï ee mules i ou Add delivery: £0.00 
aA ~] your passwerd Total to pay: £121.88 
= (80. VAT e Dein ery) 
Your first name Your last name Confitm your password 


our tes umber 
Your email address ‘vourgelephone umber 


Confirm yeur email address 
(We weil send your order confirmation Fere) 


Pisase confirm your date of birth 


2y pisang yor order you agree t3 Our Terms 
14 VY Febuay VY 2020 Vv and Conditions & cur use cf Cookies 


Continue shopping 


Clicking the ‘click here to opt out’ reveals the following: 


Wed like to notify you about fi. and 
other special offers personalised just ror you. In our 
privacy. policy we explain how we'll use your data 


and keep it 100% safe. 


Opt me out of my monthly free sample 
reminders 


Opt me out of updates and other offers 
you think J'll love 


Opt me out of community news 


Q7 Do you have any other suggestions for the direct marketing code? 


Good practice recommendations 

We acknowledge that the Information Commissioner is required by section 122 of the Data 
Protection Act 2018 to prepare a code of practice which provides practical guidance in 
relation to the carrying out of direct marketing in accordance with data protection legislation 
(section 122(1)) and such other guidance as the Commissioner considers appropriate to 
promote good practice in direct marketing. 


The Commissioner makes several good practice recommendations in the draft code; some 
are, in our view, reasonable and we have adopted them into our practices already. 


| However, we are concerned about the Commissioner’s recommendation that controllers 
| ought to “[g]et consent for all your direct marketing regardless of whether PECR requires 


it or not.” 


The Commissioner herself notes in the draft code that these recommendations “do not have 
the status of legal requirements but aim to help you adopt an effective approach to data 
protection compliance.” 


We do not believe that the recommendation to obtain consent for all direct marketing helps 
controllers adopt an effective approach to data protection compliance. In fact, the 
recommendation is at odds with data protection legislation and errs towards the creation 
of new law. 


The GDPR identifies 6 lawful bases for the processing of personal data. Although the GDPR 
prescribes that controllers use one or other lawful basis in certain circumstances, and 
prescribes certain rules that controllers must comply with to rely on each lawful basis, it 
does not distinguish any hierarchy of lawful bases. Equally, as the Commissioner’s 
recommendation applies, the PECR does not prescribe the use of consent for all direct 
marketing activities. 


Moreover, recital 47 expressly states that the “processing of personal data for direct 
marketing purposes may be regarded as carried out for a legitimate interest.” It is the for 
each controller to determine whether or not processing for direct marketing purposes 
should be carried out for a legitimate interest or whether consent is a more appropriate 
basis. 


That is the ICO’s view as stated here: https://ico.org.uk/for-orqanisations/quide-to-data- 


rotection/quide-to-the-qeneral-data-protection-requlation-qdpr/lawful-basis-for- 


processing/. It is, we believe, the correct view. To recommend as good practice that 
controllers obtain consent for all direct marketing activities has no basis in law and takes 
away from controllers the need to consider carefully their relationship with the individual 
which is, we believe, a vital aspect of data protection compliance. 


We believe the ICO’s good practice recommendation is unhelpful and should be replaced 
with a recommendation that each controller carefully considers whether consent or 
legitimate interests is the most appropriate lawful basis based on the activity in question 
and the relationship with the individual. 


(Response to question 7 continued) 
Definition of direct marketing 


On page 3 of the draft code, the ICO states that “[d]Jirect marketing purposes include all 
processing activities that lead up to, enable or support the sending of direct marketing”. 
This is, we believe, a misstatement of the law. Section 122(5) of the Data Protection Act 
2018 provides a statutory definition of direct marketing: 


“the communication (by whatever means) of advertising or marketing material which is 
directed to particular individuals”. 


The law is clear that it is the communication which amounts to direct marketing, not 
(necessarily) the steps leading up to that communication. 


| Not only do we consider that the ICO is misstating the law, we also believe that its definition 


of direct marketing would cause considerable confusion and detriment to consumers. 


Take, as an example, a form of direct marketing communication which requires consent. 


The ICO’s view is that every processing activity up to and including the communication 
itself amounts to direct marketing and would therefore also require consent. 


Consent must, amongst other matters, be unbundled and so companies would need 
separate tick boxes in the customer journey to obtain consent for each stage of the 
processing up to the sending of the communication (which would include storing the data, 
any profiling, sending it to any IT/marketing service provider). Surely this would not be to 
the benefit of consumers? 


About you 


Q8 Are you answering as: 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Please specify the name of your organisation: 


akay O 


[ Direct Wines Limited 


If other please specify: 


How did you find out about this survey? 


Q 
Xo) 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


MH UO 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


eee 


Thank you for taking the time to complete the survey 


O oe) e 


